We are about to deploy an enVision solution where it will be receiving IDS messages (from ISS RealSecure via Proventia) and asset scans (from Nessus). I understand that VAM can be used to assign a confidence rating against an IDS message, but I don't really understand enough to know how to use this in filtering out false positives so that enVision becomes the primary console for alerting.
How easy is it to write a rule that raises an alert if an IDS message is received with a high level of confidence that it is not a false positive ?
Jim
